CERT-In Vulnerability Note CIVN-2010-82
Juniper Instant Virtual Extranet (IVE) Input Validation Cross-Site Scripting Vulnerability
Original Issue Date: March 25, 2010
Severity Rating:Medium
System Affected
- Juniper Networks IVE OS versions prior to 6.3R7
- Juniper Networks IVE OS versions prior to 6.4R5
- Juniper Networks IVE OS versions prior to 6.5R2
Overview
A Cross-site scripting vulnerability has been reported in Juniper Networks IVE and SA, which could be exploited by remote attackers to execute arbitrary scripts on the user's browser.
Description
Juniper Networks Secure Access (SA) devices are network security devices. They are powered by Juniper Instant Virtual Extranet ( IVE) OS and include a web-based interface.
This issue is caused due to improper input validation in the bookmark management function "editbk.cgi" script when processing the "row" parameter, which could be exploited by remote attackers to execute arbitrary scripts on the user's browser with the security context of the affected site.
Solution
Upgrade to Juniper Networks IVE OS version 6.3R7, 6.4R5 or 6.5R2.
https://www.juniper.net/alerts/viewalert.jsp?actionBtn=
Search&txtAlertNumber=PSN-2010-02-660&viewMode=view
(Login required)
Vendor Information
Juniper Networks
https://www.juniper.net
References Juniper Networks
https://www.juniper.net/alerts/viewalert.jsp?actionBtn=
Search&txtAlertNumber=PSN-2010-02-660&viewMode=view
VUPEN
http://www.vupen.com/english/advisories/2010/0558
Security Focus
http://www.securityfocus.com/archive/1/509887
SecurityTracker
http://securitytracker.com/alerts/2010/Mar/1023689.html Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
